GDPR’s Right to Be Forgotten
Also known as the Right to Erasure, get ready for a wild ride regarding one of GDPR’s most intriguing components.
Cyber history is being made this week as the European Union begins requiring compliance with the General Data Protection Regulation (GDPR). One of the most intriguing articles in the GDPR is the “Right to be Forgotten” also known as the “Right to Erasure.”
Article 17 of the GDPR states:
The data subject (i.e. EU citizens) shall have the right to obtain from the controller (i.e. the organization that collects, processes, and analyzes the data) the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if one of the following applies:
- The controller doesn’t need the data anymore
- The subject withdraws consent for the processing with which they previously agreed to (and the controller doesn’t need to legally keep it [N.B. Many will, e.g. banks, for 7 years.])
- The subject uses their right to object (Article 21) to the data processing
- The controller and/or its processor is processing the data unlawfully
- There is a legal requirement for the data to be erased
- The data subject was a child at the time of collection (See Article 8 for more details on a child’s ability to consent)
To be ready and prepared for Article 17, it is imperative that data controllers truly understand the complexities of complying with the Right to be Forgotten and prepare themselves for the onslaught requests that are sure to come flooding in from the start.
If an individual requests that information about them be removed, then the data controller must take all the steps outlined in GDPR. This includes receiving the request, validating the request, and making a determination about whether the data should be deleted. This, of course, involves added expense on the part of the organization. Depending on the amount of data, more people may have to be hired to handle the workload. If outsourcing this function, data could potentially traverse into the outsourcer’s control, making them also subject to GDPR requests. And it can get uglier.
Even if the data controller has a complicated algorithm or procedure in place to find a requester’s information per a request, erase the data (not merely delete it) and can prove that the data has been erased, the problem of missing pertinent data still may exist. The data most likely resides in multiple locations including witness or network protection devices and various servers, cloud services and even backups that may be in tape form. Keep in mind that the data may also reside on multiple devices in multiple countries across the globe. Keep in mind that the data could also reside encrypted somewhere on an old tucked away machine that no one has seen for years. To complicate the issue even more, the data could also reside on systems which you may not have control over such as third party companies that you use for outsourcing or other services. And that third party may share data with other companies that they use as a third party. And so on and so on. Hopefully, you are starting to see the incredible and seemingly impossible task at hand.
And if you thought that I was done causing a tidal wave of panic there, you are incorrect. Once May 25th hits (tomorrow as of this posting), I am quite certain that the number of requests for data removal will be staggering.
Things can also get out of control with the speed of a tornado. For example, imagine a very public EU citizen is involved in or even accused of a scandal. Facebook, Twitter, Instagram and all other media outlets blow up with dozens of mentions, photos, etc. If you are a Twitter, Facebook, or other social media platform, it may be nearly impossible to keep track of constant reposting or new posts of the information. Each time a data is removed, more pops up in its place. Search engines automatically index and link to millions of posts, articles, and photos. All of this could unleash a massive data erasure tsunami!s. And even as the controllers are trying to erase data, more instances of the data keep popping up. It’s a cat and mouse game that may not be able to be won and at what expense to the resources of data controllers?
By following the 4 tips below, you can help ensure that you are on top of the issue:
- Make sure that you have an auditable process that can reasonably find, remove, and verify removal at scale. You need to be able to show due diligence if things get out of your control.
- If you are a large data controller, be prepared to shell out some additional funds to take requests and remove the data.
- Keep a record and inventory of all third parties you work with that may have copies of requested data with quick and easy agreed upon terms and methods of communication and removal.
- Make sure that you have documented all areas where data may be stored including offline machines and backup tapes.
Only time will tell if the Right to be Forgotten will be able to work the way its framers intended. In the meantime, buckle up, expect a lot of turbulence, and get ready for a wild ride. If your organization needs help with GDPR compliance, look to CyberVista to provide on-site training to provide a path moving forward. Likewise, if you have any other comments or questions, please leave those below to keep the discussion going.